Malicious Phantom Shuttle Chrome Extensions Masquerading as a Legitimate VPN Service Intercept Traffic and Steal User Data

Key Takeaways

• Deceptive VPN service: Two extensions, active since 2017, masquerade as a legitimate VPN service, tricking users into paying for a subscription.
• Traffic interception: The malware hijacks proxy authentications to intercept all web traffic, routing it through attacker-controlled servers.
• Continuous data theft: The extensions continuously exfiltrate user credentials and other data to a command-and-control server every 5 minutes.

Two malicious browser extensions on the Chrome Web Store named "Phantom Shuttle" (幻影穿梭) published by the same threat actor and active for over eight years, pose as a legitimate VPN service for developers and foreign trade personnel. 

Security researchers have uncovered these extensions function by injecting hardcoded proxy credentials into every HTTP authentication request, effectively creating a man-in-the-middle (MitM) position (real-time traffic capture) for the attackers.

Data Exfiltration and Credential Theft

With over 2,180 users, the Phantom Shuttle Chrome extensions lure victims with a "multi-location network speed testing plugin" subscription model, creating a facade of a genuine commercial product while operating as sophisticated data exfiltration malware. 

“The extension performs actual latency tests to proxy servers and displays connection status, reinforcing the illusion of a legitimate product,” the report says. This approach differs from typical malware distribution, as users:

• Actively seek out the extension, 
• Pay for access, 
• Receive functional proxy services that appear to work as advertised.

The core of the malware's operation lies in its ability to hijack and redirect user traffic. By modifying the legitimate jQuery library v1.12.2 files, the extension automatically injects hardcoded proxy credentials into all authentication challenges. 

This allows for the capture of all unencrypted data, such as passwords, form data, and session cookies from over 170 targeted domains, including:

• Cloud service consoles (AWS, Azure, GCP, DigitalOcean) 
• Version control systems (GitHub, GitLab), 
• Development tools (GitHub, StackOverflow, Docker, npm registries),
• Corporate platforms (Cisco, IBM, VMware), 
• Social media (Facebook, X, Instagram), 
• Adult content sites (PornHub, Xvideos, 91porn).

“An employee using this extension on a personal device that also accesses corporate VPN creates a breach vector,” researchers say. Furthermore, the extension maintains a persistent heartbeat to its command-and-control (C2) server, exfiltrating the user's registered email and password every five minutes.

The combination of credentials and metadata exfiltration and proxy MITM provides comprehensive data theft capabilities:

• Direct credential capture from form submissions
• Session cookie theft from HTTP headers
• API token extraction from requests
• Credit card interception from payment forms
• POST data collection (passwords, personal information)

Socket submitted takedown requests to Google's Chrome Web Store security team.

Recommendations for Browser Security

Users are advised to scrutinize extension permissions before installation, particularly those requesting control over web requests and proxy settings. 

Organizations should implement security policies that whitelist approved browser extensions and monitor for unusual network behavior, such as unexpected proxy authentication attempts. 

This campaign highlights ongoing issues with Chrome Web Store security and the risks associated with malicious browser extensions. Just last month, researchers at LayerX Security discovered fake free VPN Chrome extensions that steal user data.

In August, a PRC-nexus espionage campaign targeted diplomats with web traffic hijacking to deliver malware.